An Oracle Java SE to Amazon Corretto migration is the single most defensible buyer-side action available against the Java SE Universal Subscription Employee Metric introduced in January 2023. The metric prices Java by total employee headcount across the entire organisation, so a 10,000-employee company pays the same whether it runs twelve Java installations or twelve thousand. The economics of staying on Oracle Java SE for a workload that does not require Oracle's commercial features are indefensible. This playbook lays out the buyer-side migration framework we use to defend our clients through Java SE displacement: the forensic discovery sequence, the Corretto deployment plan, the third-party software compatibility matrix, the audit defence on the historical Oracle Java footprint, and the contract negotiation that closes the renewal cleanly. Every step is benchmarked against real engagements — we have a 100% Java audit defence record across the engagements we have run, 600+ Oracle programmes overall, and $1.8B in advised spend.
Amazon Corretto is the default Oracle Java SE replacement for organisations whose workload mix is dominated by server-side application code, batch processing, and integration middleware. The reasons are commercial more than technical. Corretto is free to deploy in production. It is built from the same OpenJDK source as Oracle Java SE. Security patches ship on the same quarterly Critical Patch Update cadence as Oracle's commercial release. AWS maintains long-term support builds for Corretto 8, 11, 17, 21, and 25 with at least four years of post-release support — typically aligning with Oracle's commercial LTS release windows. The technical risk of moving from Oracle's binary to Corretto's binary is functionally negligible for the vast majority of enterprise workloads. The commercial benefit is the elimination of the Java SE Universal Subscription Employee Metric exposure.
The competitive alternatives — Eclipse Temurin (Adoptium), Microsoft Build of OpenJDK, Azul Zulu, BellSoft Liberica, Red Hat OpenJDK — are also viable and each has a niche where it is preferable. We cover each in dedicated playbooks: Eclipse Temurin for vendor-neutral procurement, Microsoft Build of OpenJDK for Azure-bundled support, Azul Zulu and Platform Core for predictable commercial pricing and pauseless GC, and BellSoft Liberica for JavaFX-bundled support and native-image use cases. Corretto's edge is the AWS support inclusion for customers already running workloads on AWS infrastructure, the certified compatibility kit (TCK) passing builds for every long-term support version, and the operationally familiar deployment story for organisations that already manage other AWS-distributed software. For organisations that do not run on AWS, the support proposition is weaker; in those cases we typically recommend Temurin with optional commercial support from BellSoft or Azul.
The migration plan has to account for the workload types where Corretto is not the obvious choice. Desktop applications that rely on Java Web Start or applets need a different runtime strategy (Corretto deprecates the legacy plugin model, as does every other distribution). Software that requires specific Oracle commercial features — Application Class-Data Sharing in commercial mode, Java Flight Recorder pre-JDK 11, Mission Control commercial features — needs forensic review before migration. Third-party software with vendor-certified-Java-SE-only support contracts has to be reviewed individually. See the Oracle Java licensing guide for the broader Employee Metric exposure framework.
The first phase of any Oracle Java SE to Amazon Corretto migration is forensic discovery. The audit defence framework requires a complete inventory of every Java installation in the estate, identified by vendor, version, deployment context, and licensing surface. Most organisations have substantially more Oracle Java installations than they initially estimate because Oracle Java is bundled inside dozens of third-party products and gets installed by default by package managers and developer tooling. We routinely find that initial estimates of 60 to 80 Oracle Java installations turn into 280 to 1,400 after the forensic sweep completes.
| Discovery surface | What to look for | Audit exposure |
|---|---|---|
| Endpoint scan (workstations) | JRE / JDK installations on Windows / macOS / Linux desktops | Employee Metric applies regardless of usage |
| Server-side application servers | WebLogic, Tomcat, Jetty, JBoss, WAS | Production Java SE installations |
| Batch and ETL processing | Informatica, DataStage, custom Java batch | Server-side Java SE installations |
| Build and CI tooling | Jenkins, GitLab Runner, Maven / Gradle | Developer tooling Java; usage of Oracle binaries triggers metric |
| Third-party software (bundled Java) | Trading platforms, mapping tools, scientific software | Oracle Java bundled inside the vendor's deployment package |
| Container images | Docker images on private registries | Each image with Oracle Java multiplies the surface |
| Cloud deployments (BYOL Java) | EC2 / EKS / Lambda / Azure / GCP | Cloud Java installations counted toward the same metric |
| OT and ICS environments | SCADA, manufacturing systems, embedded engineering tooling | Often-overlooked Java footprint with high audit value |
The forensic discovery has to be performed under audit-defensible methodology. We use a combination of endpoint scanning (Tanium, BigFix, Lansweeper), package manager inventories on Linux servers, container registry scans, third-party software vendor inventories, and manual interview of the OT / engineering teams to surface the embedded footprint. The output is a complete, evidence-based Java installation register with vendor (Oracle vs. OpenJDK distribution), version, deployment context, and replacement path. The register is the foundation for both the migration plan and the audit defence. The Java Licensing service covers the discovery framework end to end.
Trap to avoid: Initial Java inventory estimates from internal teams typically miss 60 to 80 percent of the true footprint. Reserve a 4 to 8 week forensic discovery window before committing to a migration timeline.
Independent, audit-defensible discovery of every Java installation across endpoints, servers, containers, and OT. Buyer-side methodology. Ten-day turnaround.
The technical migration is easy. The third-party software compatibility matrix is where most Java migrations stall. Vendor-supplied software that runs on Java often has a "certified Java SE" support clause requiring Oracle's binary specifically. The buyer-side approach has three options for each vendor: (1) confirm the vendor supports Corretto (most do, often quietly), (2) renegotiate the support agreement to include alternative OpenJDK distributions, (3) replace the vendor's software with an alternative. We build the matrix on every engagement.
The most expensive compatibility scenario is software that genuinely requires Oracle Java SE for vendor support. In those cases the migration plan has to either (1) move the workload to the cloud equivalent of the vendor's product (often available without the Oracle Java SE requirement), (2) replace the vendor with a competitor, or (3) accept the Oracle Java SE Employee Metric exposure on that specific workload while migrating everything else. We have negotiated multiple "Java SE for residual workloads only" contracts with Oracle on engagements where the customer migrated 92 to 98 percent of Java installations to Corretto and retained a small Oracle Java SE footprint for a defined set of workloads. The contract structure is non-standard and has to be negotiated explicitly. See the Contract Negotiation service for the redline framework.
The technical Corretto deployment is the simplest phase of the migration. The buyer-side discipline is to deploy in waves, validate against production traffic before retiring the Oracle Java binary, and maintain rollback capability through the cutover window. The standard sequence we run is:
| Phase | Duration | Activity |
|---|---|---|
| 1. Pilot deployment | 2 weeks | Deploy Corretto on 3 to 5 non-critical workloads; functional validation |
| 2. Performance baseline | 2 weeks | Compare GC behaviour, throughput, latency against Oracle Java baseline |
| 3. Wave 1 deployment | 4 weeks | Deploy Corretto to 20 to 30 percent of low-risk workloads |
| 4. Wave 2 deployment | 6 weeks | Deploy Corretto to mid-risk workloads; retain Oracle Java fallback |
| 5. Wave 3 deployment | 8 weeks | Deploy Corretto to high-risk workloads; full rollback plan |
| 6. Endpoint rollout | 4 weeks | Workstation Java replacement via endpoint management tooling |
| 7. Oracle Java removal | 3 weeks | Forensic removal of Oracle Java binaries; verification scan |
| 8. Audit-defensible documentation | 2 weeks | Evidence package of removal for the future Oracle audit defence |
The audit-defensible documentation phase is the one most often skipped. Oracle's audit team can request evidence of the migration completion date during a future audit and use the period before migration to assess Employee Metric exposure. The buyer-side discipline is to maintain an evidence package — scan results, deployment timestamps, removal verification — that supports the defence narrative. We have used these evidence packages multiple times to defeat audit claims for the post-migration period. The Oracle audit guide covers the broader evidence-based defence framework.
The migration to Corretto closes future Oracle Java SE exposure. It does not close the historical exposure. Oracle's GLAS / LMS Java audit team reviews the customer's Oracle Java SE deployment during the window before the migration to determine retroactive Employee Metric exposure under the January 2023 model. The audit defence has to address the historical period specifically.
The forensic defence framework for the historical Java footprint contains four lines of argument. First, the licensing model in effect at the time of deployment was the historical metric (Processor / NUP), not the 2023 Employee Metric — Oracle's retroactive application of the new metric to historical deployments is contestable and we have contested it successfully multiple times. Second, the actual Oracle binary deployment count, not the inferred deployment from desktop installation telemetry, is the basis for any back-licence claim — Oracle's audit methodology routinely infers installations from telemetry that does not reflect actual runtime usage. Third, the Oracle Java No-Fee Terms and Conditions (NFTC) that applied to JDK 17 between September 2021 and September 2024 created a covered-deployment window that excludes those deployments from any back-licence claim under the prior commercial subscription. Fourth, the bundled-Java distributions of Oracle Java that came with Oracle products (Oracle Database, WebLogic, Fusion Middleware) carry application-specific entitlement and cannot be treated as standalone Java deployments. Each defence point reduces the audit exposure substantially.
We have a 100% Java audit defence record across the engagements we have run, meaning every Java audit we have defended has closed at zero back-licence claim or at a fraction of the original published figure. The defence framework only works when the customer engages before the audit progresses to formal claim — once the claim is in writing the negotiating position is materially weaker. The Audit Defence service covers the full engagement framework.
Engage before Oracle's Java audit progresses to formal claim. 100% Java audit defence record. Independent, buyer-side methodology, fixed-fee engagement.
Cancelling an active Oracle Java SE Universal Subscription requires a specific contract sequence. The standard subscription is an annual term that auto-renews unless the customer issues a non-renewal notice within the contractual notice window — typically 60 days before the anniversary. Missing the notice window locks the customer into another full year of the Employee Metric pricing. The buyer-side discipline is to issue the non-renewal notice early in the migration plan, in writing, with delivery receipt confirmation.
The negotiation around the cancellation has two parts. The first is the cancellation itself — Oracle's account team will pressure the customer to either renew at the headline rate or convert to a multi-year commitment in exchange for a discount. The buyer-side position is to ignore both pressures and exit cleanly. The second is the audit suspension language that should accompany the cancellation. We have negotiated audit suspension clauses on roughly 60 percent of Java SE subscription cancellations where the customer had a credible Corretto migration plan in motion. The clauses do not appear automatically — they have to be redlined into the cancellation correspondence.
The Oracle Java SE to Amazon Corretto migration is the rare Oracle exit where the destination is genuinely free, the audit defence is winnable, and the structural saving is permanent. We have run engagements where the annual Employee Metric exposure on a 30,000-employee customer was quoted by Oracle at $4.2M to $7.5M per year and closed at zero through the Corretto migration plus historical audit defence. The Oracle Java licensing guide covers the broader Employee Metric framework that surrounds this entire decision.
Yes for the vast majority of production workloads. Amazon Corretto is a no-cost, multi-platform, production-ready distribution of OpenJDK with the same core specification as Oracle Java SE. AWS maintains long-term support builds for Corretto 8, 11, 17, 21, and 25 with quarterly security updates aligned to Oracle's CPU release schedule. Compatibility issues occur on workloads using Oracle-specific commercial features (Application Class-Data Sharing in commercial mode, Java Flight Recorder pre-JDK 11, Mission Control commercial features) or third-party software that explicitly requires a Java SE vendor-certified runtime.
Yes. Oracle's Java audit team (GLAS / LMS) reviews historical Java SE deployment even after migration completes. The audit examines (1) Oracle Java SE installations during the window before the migration to determine retroactive Employee Metric exposure under the January 2023 model, (2) Oracle-built Java that was downloaded after April 2019 without a commercial subscription, and (3) third-party software bundled with Oracle Java SE. The Oracle Java SE to Amazon Corretto migration closes future exposure; it does not close historical exposure. Audit defence has to address both periods.
The Java SE Universal Subscription, launched January 2023, prices Java by total employee count across the entire organisation rather than by Java installation count. The metric definition counts all full-time employees, full-time-equivalents of part-time staff, all temporary employees, and all contractors who support the company's internal operations. A 10,000-employee company with twelve Java servers pays the same as a 10,000-employee company with twelve thousand Java servers. The audit exposure is large because most companies historically licensed Java by Processor / Named User Plus and now face a metric mismatch that LMS quotes at the new Employee Metric rate retroactively.
Amazon Corretto is free to download, deploy, and use in production, including for commercial workloads, under the GPLv2 with Classpath Exception licence. AWS provides community support through GitHub issues and the AWS forums. Customers running on AWS infrastructure receive support for Corretto through their standard AWS support plan at no additional cost. Customers running Corretto outside AWS who need commercial support typically engage a third-party JDK support vendor (BellSoft, Azul, Red Hat) at a fraction of Oracle's Employee Metric pricing.
For a typical enterprise estate with 200 to 2,000 Java installations across application servers, batch processes, desktop applications and third-party software, the migration runs 4 to 9 months. The critical path is inventory discovery and third-party software compatibility verification, not the technical Corretto deployment itself. Estates with vendor-certified-Java-SE-only software (some financial trading platforms, legacy Oracle Fusion Middleware components) require longer because the vendor certification has to be renegotiated or the software has to be replaced.
Twice a month. Oracle pricing moves, audit-defence tactics, migration economics, ULA exit playbooks. Written by former Oracle insiders, never marketing.
No spam. Unsubscribe any time. Independent — not affiliated with Oracle Corporation.