You can use AWS License Manager to track Oracle Java/JDK usage on Amazon Elastic Compute Cloud (Amazon EC2) instances and on-premises servers. If you’re already running Amazon Corretto (Amazon’s distribution of the OpenJDK), then you can probably stop reading now. This blog explains how License Manager can track license usage of other applications in your environment. The steps used to discover and track license usage can be implemented for other software for which license management is required. They can also be used to optionally enforce license compliance.

License Manager is a one-stop solution for managing licenses from a variety of vendors such as Microsoft, Oracle, IBM, SAP, and others. License Manager allows administrators to emulate licensing rules from software vendor agreements as license configurations. License configurations can be attached to Amazon Machine Images (AMIs), Launch Templates, or AWS CloudFormation templates to track license usage. License Manager tracks usage of licenses that are assigned by vCPU, core, socket, or instance. When an EC2 instance is launched from an AMI associated with a license configuration, license usage is automatically tracked via License Manager. You can optionally enforce metering and send alerts using Amazon Simple Notification Service (Amazon SNS). You can read more about this in mechanisms to govern license usage.

License Manager can also track license usage by application independent of the AMI. License configurations can be associated with applications by application name. This triggers a daily auto-discovery process to associate new server instances with the license configuration. EC2 instances or on-premises servers managed by AWS Systems Manager report their software inventory on a configurable, periodic basis; defaulting to every 30 minutes. License Manager cross-checks this software inventory and reports license usage for configured licenses, and if configured, sends alerts if not compliant.

Manage your instances with Systems Manager

To track Oracle JDK usage in an EC2 environment, you must first have your instances or on-premises servers under management with Systems Manager. Amazon Linux EC2 and Windows EC2 instances include the Systems Manager agent by default. They simply need an AWS Identity and Access Management (IAM) role with permissions to be managed by Systems Manager. Other EC2 instances must install the agent, and have an IAM role with permissions. All instances also need outbound network access to the Systems Manager service endpoints. They can use NAT gateways, internet gateways, VPC service endpoints, or a network path via on-premises connectivity all work. For more information on these steps, please check the AWS Systems Manager agent installation documentation.

On-premises servers can also be managed by Systems Manager and report their license usage to License Manager. These servers need the Systems Manager agent installed and must be registered with Systems Manager. For more details, check System Manager documentation for hybrid environments. These steps involve confirming your server OS trusts the certificates Amazon uses. Modern OS types have these root certificates trusted by default. Then, installing and finally registering and starting the agent.

Your servers should show up in the Systems Manager console as managed instances once they have following prerequisites.

  1. Systems Manager agent successfully installed and running,
  2. An IAM role with the correct permissions or, for hybrid (on-premises) servers, have successfully registered the agent, and
  3. Working connectivity to the SSM service

You can view and search software inventory on your managed instances in the Systems Manager console. Inventory data is synched by default every 30 minutes. You can execute the AWS-RefreshAssociation command document with the Systems Manager Run Command on target instances if you want data to refresh sooner.

The screenshot below shows instances managed by Systems Manager. The instances prefixed with “i-”are EC2 instances; instances prefixed with “mi-” are on-premises servers with the Systems Manager agent configured. I’ve named these on-premises instances as “On-PremHost.” If you prefer the AWS Command Line Interface (CLI), you can get this result with following command.

aws ssm describe-instance-information

AWS Systems Manager console showing Managed Instances panel under Instances & Nodes. Managed instances includes on-premises hosts and EC2 instances. Next, let us search the software inventory for a specific application beginning with “jdk.”. To do this from the AWS CLI, run the following command.

aws ssm list-inventory-entries --instance-id mi-xxxxxxxxxxxxxx --type-name "AWS:Application"

Search results of a specific managed instance when searking on applicatons that begin with the string "jdk".

Create a License Configuration

Head on over to the License Manager console, select license configurations, and create a license configuration.

This license configuration represents the set of licensing terms agreed with a software vendor such as Oracle. Provide it a name and description. For this case, you choose instances as the license type. You can also indicate if you want a notification if you are exceeding your license quantity or if you want to block launching AMIs that would exceed license limits. This setting does not block launching on-premises servers nor instances managed only by Systems Manager. Click submit to create the configuration.

Screenshot of creating a license configuration for the Oracle JDK. This depicts a license type applying to Instances.

Next, you can associate that configuration with any AMIs you have in our accounts that are subject to these license terms. In this example, use AMIs you’ve created where you’ve installed the Oracle JDK. For the license configuration you’ve created, select Associate AMI, choose your AMI, and click associate.

In this case, however, you have EC2 instances you want to track licenses on that were not launched from a known AMI. You also have on-premises servers whose license must be tracked.

Select Search inventory and you get a list of managed instances.

In the search box, you can choose Application name: Begins with and enter “jdk-”. This is the first part of the string Oracle JDK uses when installed on Linux). If you’re not sure what to search on, select instance from Systems Manager Inventory, and browse for the application you want. Check what it shows for application name.

When License Manager Search inventory has returned the desired results, select one of the returned rows and select Associate license configuration.

Screenshot showing inventory search results for the search string "jdk-". This returns a list of EC2 hosts and managed instances where AWS Systems Manager has a software inventory record with the search string present.

Select the jdk-* string.

This screenshot shows associating the inventory string of "jdk-13.0.2" with our license configuration.

Next, let’s search for and add the Oracle Java SDK for Windows to our license configuration. We could also create a separate license configuration for Windows if we wanted to track that separately.

Search on Application name: Begins with and enter Java. Select one of the rows that returns a Windows instance with the version you want. Associate with the correct license configuration.

Screenshot showing inventory search results for the search string "Java". This returns a list of EC2 hosts and managed instances where AWS Systems Manager has a software inventory record with the search string present.

This screenshot shows associating the inventory string of "Java(TM) SE Development Kit 13.0.2 (64-bit)" with our license configuration.

Now, let’s return and review your license configuration. Note the two strings under Product information on the top card. Applications that have either of those product information strings as detected by Systems Manager automatically show up as associated with this license configuration. The auto-detection runs every twenty-four hours. Instances launched from an AMI listed under the Associated AMI tab also show up (with or without the Systems Manager agent).

If you have additional versions of Oracle Java in your environment, you can Search inventory and add those as well.

To create the license configuration as shown above from the AWS CLI, run the following command

aws license-manager create-license-configuration --name "Oracle JDK" \ --description "Oracle JDK Licenses for Linux and Windows" \ --license-counting-type Instance \ --product-information-list='{"ResourceType":"SSM_MANAGED","ProductInformationFilterList":[{"ProductInformationFilterName": "Application Name","ProductInformationFilterValue":["jdk-13.0.2", "Java(TM) SE Development Kit 13.0.2 (64-bit)"],"ProductInformationFilterComparator": "EQUALS"}]}’

License Manager runs a process once every 24 hours to sync this data. So check back this time tomorrow and you should have a comprehensive view of deployments of Oracle JDK in your Systems Manager managed fleet.

Screenshot of our license configuration showing the inventory strings it will auto-detect and apply to. Below we see the tracked resources license manager automatically detected on a 24-hour detection cycle.
If you want to return this data via the AWS CLI APIs, you need the Amazon Resource Name (ARN) of the License Configuration. You can then run the following command.

aws license-manager list-usage-for-license-configuration --license-configuration-arn arn:aws:license-manager:us-east-1:000000000000:license-configuration:lic- xxxxxxxxxxxxxxxxxxxxxxxxxxxx

You can generate more readable results with –output table or with –output text.

If you want to programmatically query the licenses consumed value, you can do that with the AWS CLI as well. You need the ARN as an input parameter.

aws license-manager list-license-configurations \  --license-configuration-arns arn:aws:license-manager:us-east-1:000000000000:license-configuration:lic-xxxxxxxxxxxxxxxxxxxxxxxxxxxx \
  --query 'LicenseConfigurations[*].ConsumedLicenses' \
  --output text

Summary

Hopefully you find this useful in keeping compliant with your Oracle Java license requirements. In this blog post, we demonstrated how to use License Manager with EC2 instances and on-premises servers managed by Systems Manager. We also covered how to define license configurations and track deployed licenses on these managed machines.

If you have comments about this blog post, please submit them in the “Comments” section below. If you have questions about License Manager, please start a new thread in the AWS Systems Manager forum.

All the best in your compliance journey.

– Kyle

Kyle Hart photo Kyle Hart is a Senior Solutions Architect supporting US Federal Government customers in the Washington DC area.