Download Oracle Java Using the Java Management Service

Java Management Service (JMS) Java Download enables you to download Oracle Java releases through Oracle Cloud Infrastructure (OCI). This includes all publicly available Oracle Java releases from the last 2 years. Java Download also provides vital information such as:

• Java versions that are currently supported their end of life
• Java versions containing the latest security patches
• Release dates and release type
• License terms of the Java release

Java Download also includes a reporting feature that provides information on downloads occurred during the specified time period. You can view the reports that is aggregated by Java version, operating system and architecture, and Java release.

About JMS Java Download

JMS is an OCI native service that is available in all commercial and restricted realms. Using JMS Java Download, there are two options to download the desired Oracle Java runtime binaries:

• Using Script Friendly Download commands.

  This is made possible through the use of tokens. Tokens are generated for a specific Java version by accepting the license terms (if applicable). The generated tokens are then used by non-OCI users in the script friendly commands to download the runtime binaries. Lifecycle management of the tokens can be done through the OCI Console or the SDK

• Direct Download from OCI Console.

  OCI users can download the Java binaries directly from the OCI Console by acknowledging and accepting the license terms. License acceptance is once per tenancy.

Oracle Java releases are made available under Oracle No-Fee Terms and Conditions (NFTC) and Oracle Technology Network License Agreement for Oracle Java SE (OTN), depending on the version and the release. Ensure that you review the license terms before downloading the desired version.

JMS Java Downloads provides comprehensive metadata about Java releases. Below is a sample metadata payload depicting the information provided.

{
  "artifacts": [
    {
      "artifactId": 11601,
      "artifactDescription": "Linux x64 Compressed Archive",
      "artifactContentType": "JDK",
      "approximateFileSizeInBytes": 197677861,
      "sha256": "267b10b14b4e5fada19aca3be3b961ce4f81f1bd3ffcd070e90a5586106125eb",
      "artifactFileName": "jdk-21.0.7_linux-x64_bin.tar.gz",
      "osFamily": "linux",
      "architecture": "x64",
      "packageType": "tar.gz",
      "packageTypeDetail": "Compressed Archive",
      "downloadUrl": "https://javamanagementservice-download.ap-mumbai-1.oci.oraclecloud.com/20230601/actions/generateArtifactDownloadUrl",
      "scriptDownloadUrl": "https://java.oraclecloud.com/java/21/archive/jdk-21.0.7_linux-x64_bin.tar.gz",
      "scriptChecksumUrl": "https://java.oraclecloud.com/java/21/archive/jdk-21.0.7_linux-x64_bin.tar.gz.sha256"
    },
    ...//trimmed
  ],
  ],
  "releaseVersion": "21.0.7",
  "familyVersion": "21",
  "securityStatus": "UP_TO_DATE",
  "releaseType": "CPU",
  "licenseType": "NFTC",
  "familyDetails": {
    "familyVersion": "21",
    "displayName": "JDK 21",
    "supportType": "LTS",
    "endOfSupportLifeDate": "2031-09-19T23:59:59.000Z",
    "docUrl": "https://docs.oracle.com/en/java/javase/21",
    "latestReleaseVersion": "21.0.7",
    "isSupportedVersion": true,
    "releaseDate": "2023-09-19T00:00:00.000Z"
  },
  "licenseDetails": {
    "displayName": "Oracle No-Fee Terms and Conditions",
    "licenseType": "NFTC",
    "licenseUrl": "https://java.com/freeuselicense"
  },
  "releaseDate": "2025-04-15T00:00:00.000Z",
  "releaseNotesUrl": "https://www.oracle.com/java/technologies/javase/21-0-7-relnotes.html",
  "artifactContentTypes": [
    "JDK"
  ],
  "daysUnderSecurityBaseline": 0
}

About Roles and Responsibilities

This reference architecture requires the following roles:

Role	Responsibility
Customer OCI Administrator	The user in your organization who is part of the Oracle Cloud Infrastructure Identity and Access Management Administrators group. This person has superuser level privileges. Typically, a default administrator is setup when your organization signs up for an Oracle account and identity domain. This person is responsible for setting up additional administrators. The default administrator automatically belongs to the Administrators group.
Customer JMS Java Download Administrator	The OCI user in your organization that has manage permissions for java-download-tokens and java-download-reports resources.
Customer JMS Java Download User	The OCI user in your organization that has read permissions for java-download-tokens and java-download-reports resources.
Customer End User	An end user in your organization who needs to download the Java binaries. This can be an OCI user or non-OCI user.

See Oracle Products, Solutions, and Services to get what you need.

Architecture

For the script friendly downloads, the tokens are region specific and stored in an Oracle Autonomous Transaction Processing database in the region it was generated. Tokens embed information about the OCI region, Java version, and the license acceptance. Tokens also aid in gathering statistics for reporting.

The following diagram illustrates the architecture and topology of Java Management Service Java Downloads in production. The metadata about the Java releases are stored in Oracle Autonomous Transaction Processing database in JMS tenancy. The Java runtime binaries are stored in OCI Object Storage in JMS tenancy.

Description of the illustration jms-oci-download-topology.png

jms-oci-download-topology-oracle.zip

The architecture has the following components:

• Region

  An OCI region is a localized geographic area that contains one or more data centers, hosting availability domains. Regions are independent of other regions, and vast distances can separate them (across countries or even continents).

• Availability domains

  Availability domains are standalone, independent data centers within a region. The physical resources in each availability domain are isolated from the resources in the other availability domains, which provides fault tolerance. Availability domains don’t share infrastructure such as power or cooling, or the internal availability domain network. So, a failure at one availability domain shouldn't affect the other availability domains in the region.

• Compartment

  Compartments are cross-regional logical partitions within an OCI tenancy. Use compartments to organize, control access, and set usage quotas for your Oracle Cloud resources. In a given compartment, you define policies that control access and set privileges for resources.

• Dynamic routing gateway (DRG)

  The DRG is a virtual router that provides a path for private network traffic between VCNs in the same region, between a VCN and a network outside the region, such as a VCN in another OCI region, an on-premises network, or a network in another cloud provider.

• Instance pool

  An instance pool is a group of instances within a region that are created from the same instance configuration and managed as a group.

• On-premises network

  This is a local network used by your organization.

• Security list

  For each subnet, you can create security rules that specify the source, destination, and type of traffic that is allowed in and out of the subnet.

• Security zone

  Security zones implement key Oracle security best practices by enforcing policies for an entire compartment, such as encrypting data and preventing public access to networks. A security zone is associated with a compartment of the same name and includes security zone policies (a recipe) that applies to the compartment and its sub-compartments. You can't add or move a standard compartment to a security zone compartment.

• Service gateway

  A service gateway provides access from a VCN to other services, such as Oracle Cloud Infrastructure Object Storage. The traffic from the VCN to the Oracle service travels over the Oracle network fabric and does not traverse the internet.

• Tenancy

  A tenancy is a secure and isolated partition that Oracle sets up within Oracle Cloud when you sign up for OCI. You can create, organize, and administer your resources on OCI within your tenancy. A tenancy is synonymous with a company or organization. Usually, a company will have a single tenancy and reflect its organizational structure within that tenancy. A single tenancy is usually associated with a single subscription, and a single subscription usually only has one tenancy.

• Logging
  Oracle Cloud Infrastructure Logging is a highly-scalable and fully-managed service that provides access to the following types of logs from your resources in the cloud:

  • Audit logs: Logs related to events produced by OCI Audit.
  • Service logs: Logs published by individual services such as OCI API Gateway, OCI Events, OCI Functions, OCI Load Balancing, OCI Object Storage, and VCN flow logs.
  • Custom logs: Logs that contain diagnostic information from custom applications, other cloud providers, or an on-premises environment.
• Monitoring

  Oracle Cloud Infrastructure Monitoring actively and passively monitors your cloud resources, and uses alarms to notify you when metrics meet specified triggers.

• Policy

  An Oracle Cloud Infrastructure Identity and Access Management policy specifies who can access which resources, and how. Access is granted at the group and compartment level, which means you can write a policy that gives a group a specific type of access within a specific compartment or to the tenancy.

• Oracle Cloud Infrastructure Vault

  Oracle Cloud Infrastructure Vault enables you to create and centrally manage the encryption keys that protect your data and the secret credentials that you use to secure access to your resources in the cloud. The default key management is Oracle-managed keys. You can also use customer-managed keys which use OCI Vault. OCI Vault offers a rich set of REST APIs to manage vaults and keys.

• Workflow

  Oracle Cloud Infrastructure Workflow is a serverless workflow engine with a graphical flow designer for developers and architects. It accelerates the creation, running, and orchestration of OCI services such as OCI Functions or AI/ML.

• Virtual cloud network (VCN) and subnets

  A VCN is a customizable, software-defined network that you set up in an OCI region. Like traditional data center networks, VCNs give you control over your network environment. A VCN can have multiple non-overlapping classless inter-domain routing (CIDR) blocks that you can change after you create the VCN. You can segment a VCN into subnets, which can be scoped to a region or to an availability domain. Each subnet consists of a contiguous range of addresses that don't overlap with the other subnets in the VCN. You can change the size of a subnet after creation. A subnet can be public or private.

• API Gateway

  Oracle Cloud Infrastructure API Gateway enables you to publish APIs with private endpoints that are accessible from within your network, and which you can expose to the public internet if required. The endpoints support API validation, request and response transformation, CORS, authentication and authorization, and request limiting.

• Autonomous Database

  Oracle Autonomous Database is a fully-managed, preconfigured database environment that you can use for transaction processing and data warehousing workloads. You do not need to configure or manage any hardware, or install any software. OCI handles creating, backing up, patching, upgrading, and tuning the database.

• Bastion host

  The bastion host is a compute instance that serves as a secure, controlled entry point to the topology from outside the cloud. The bastion host is provisioned typically in a demilitarized zone (DMZ). It enables you to protect sensitive resources by placing them in private networks that can't be accessed directly from outside the cloud. The topology has a single, known entry point that you can monitor and audit regularly. So, you can avoid exposing the more sensitive components of the topology without compromising access to them.

• Compute

  With Oracle Cloud Infrastructure Compute, you can provision and manage compute hosts in the cloud. You can launch compute instances with shapes that meet your resource requirements for CPU, memory, network bandwidth, and storage. After creating a compute instance, you can access it securely, restart it, attach and detach volumes, and terminate it when you no longer need it.

• DNS

  Oracle Cloud Infrastructure Domain Name System (DNS) service is a highly scalable, global anycast domain name system (DNS) network that offers enhanced DNS performance, resiliency, and scalability, so that end users connect to internet applications quickly, from anywhere.

• Kafka Streams

  Kafka Streams is a client library for building applications and microservices, where the input and output data are stored in Kafka clusters. It combines the simplicity of writing and deploying standard Java and Scala applications on the client side with the benefits of Kafka's server-side cluster technology.

• Object Storage

  OCI Object Storage provides access to large amounts of structured and unstructured data of any content type, including database backups, analytic data, and rich content such as images and videos. You can safely and securely store data directly from the internet or from within the cloud platform. You can scale storage without experiencing any degradation in performance or service reliability.

  Use standard storage for "hot" storage that you need to access quickly, immediately, and frequently. Use archive storage for "cold" storage that you retain for long periods of time and seldom or rarely access.

• Oracle Management Agent

  Oracle Management Agent is a service that provides low latency interactive communication and data collection between Oracle Cloud Infrastructure and on premise managed instances. Management agents collects data from sources that you want to monitor. Management Agent Service, an Oracle Cloud Service, manages the lifecycle of the management agent and the plug-ins for the services.

• Oracle Cloud Agent

  Oracle Cloud Agent is a lightweight process that manages the lifecycle of plugins running on compute instances on OCI. The JMS Plugins collect Java metadata from your environment deployed on the managed instance in OCI. The JMS plugin exfiltrates this Java metadata to the JMS service in OCI.

• Kiev as a Service (KaaS)

  KaaS is a fully managed data platform service used primarily by Control Plane services on OCI. KaaS provides high-level NoSQL APIs for easy integration, serializable scans, change-feed streaming, and other features. KaaS is a service built on top of Kiev. Kiev is a "NoSQL key-value store" that also supports mini-transactions for convenience. To prevent concurrency bugs in applications, Kiev's mini-transactions have strong isolation which provides stronger guarantees than the weaker isolation levels that are commonly used in Oracle and MySQL. Kiev has an availability SLA of 99.9%.

Data Flow

The following are the data flows for the Script Friendly Download and Direct Download from OCI use cases.

Script Friendly Download

Description of the illustration dataflow-script-friendly-download.png

dataflow-script-friendly-download-oracle.zip

1. Customer JMS Java Download Administrator: Browses through the inventory of Java releases and associated metadata.
2. Customer JMS Java Download Administrator: Reviews the license of the Java version picked for download. Creates a token with metadata and an expiry date.
3. JMS Service: JMS service creates the download token using secure algorithms.
4. Customer JMS Java Download Administrator: The administrator receives the token from JMS service.
5. Customer JMS Java Download Administrator: The administrator distributes the download token in the enterprise so that both OCI and non-OCI users can use it for downloading Java binaries.
6. Customer End User: The users in customer enterprise use the download token in script friendly download commands to request for download of the Java binary. The script friendly download command contains the release version, OS, architecture and type of artifact to download.
7. JMS Service: JMS service validates the download command and the token.
8. Customer End User: The end user receives the Java binary on the machine.

Direct Download from OCI

Description of the illustration dataflow-local-download.png

dataflow-local-download-oracle.zip

1. Customer JMS Java Download User: Browses through the inventory of Java releases and associated metadata.
2. Customer JMS Java Download User: Reviews the license of the Java version picked for download.
3. Customer JMS Java Download User: Requests for download of the Java binary. The request contains the release version, OS, architecture and type of artifact to download.
4. JMS Service: JMS service validates the download request.
5. Customer JMS Java Download User: The user receives the Java binary on the machine.

Recommendations

Use the following recommendations as a starting point. Your requirements might differ from the architecture described here.

• Virtual cloud network (VCN)

  When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

  Select CIDR blocks that don't overlap with any other network (in Oracle Cloud Infrastructure, your on-premises data center, or another cloud provider) to which you intend to set up private connections.

  When you create a VCN, determine the number of CIDR blocks required and the size of each block based on the number of resources that you plan to attach to subnets in the VCN. Use CIDR blocks that are within the standard private IP address space.

  After you create a VCN, you can change, add, and remove its CIDR blocks.

  When you design the subnets, consider your traffic flow and security requirements. Attach all the resources within a specific tier or role to the same subnet, which can serve as a security boundary.

  Use regional subnets.

• Security

  Use Oracle Cloud Guard and security zones for added security.

  Oracle Cloud Guard helps you monitor and maintain the security of your resources in Oracle Cloud Infrastructure proactively and security zones provide security policies.

• Cloud Guard

  Clone and customize the default recipes provided by Oracle to create custom detector and responder recipes. These recipes enable you to specify what type of security violations generate a warning and what actions are allowed to be performed on them. For example, you might want to detect OCI Object Storage buckets that have visibility set to public.

  Apply Oracle Cloud Guard at the tenancy level to cover the broadest scope and to reduce the administrative burden of maintaining multiple configurations.

  You can also use the Managed List feature to apply certain configurations to detectors.

• Security Zones

  For resources that require maximum security, Oracle recommends that you use security zones. A security zone is a compartment associated with an Oracle-defined recipe of security policies that are based on best practices. For example, the resources in a security zone must not be accessible from the public internet and they must be encrypted using customer-managed keys. When you create and update resources in a security zone, OCI validates the operations against the policies in the recipe, and prevents operations that violate any of the policies.

• Network security groups (NSGs)

  You can use NSGs to define a set of ingress and egress rules that apply to specific VNICs. We recommend using NSGs rather than security lists, because NSGs enable you to separate the VCN's subnet architecture from the security requirements of your application.

Considerations

When using JMS Java Download, consider the following points.

• Performance
  • The script friendly download commands can get through multiple network hops before starting the download, possibly adding some network latency.
  • Based on the volume of downloads, the aggregated report generation and report download can take some time to complete.
• Payload

  Consider the following details when using this reference architecture:

  Payload Type	Approximate Size	Additional Information
  Metadata for a Java release version	10kB	Depends on the version and number of Java binary artifacts available for this version.
  Java Download Token	100 bytes	The token is compressed and base64 encoded.
  Java binary size	100MB - 250 MB	The size varies based on the Java version, the OS platform and architecture, and the artifact type (JRE or JDK).

• Security

  Use policies to restrict who can manage the JMS Java Download tokens in your enterprise. The tokens are generated using secure algorithms and embed authorization information that are used to validate download requests. Treat the tokens as sensitive information while distribution to users in the enterprise. Track the download statistics using the reporting feature. You can also revoke the tokens if you sense a misuse.

• Availability

  JMS has been designated as a category 10 service with a published service level objective of 3'9s (99.9).

• Cost

  JMS Java Downloads is available as a free service. However, there is service limit on the number of active tokens per region.

  • 50 active tokens are allowed per tenancy
  • 10 active tokens are allowed per Java Version

Explore More

Learn more about Java Management Service and OCI.

Review the following documentation:

• Monitor and manage your Java and Java application installations
• https://docs.oracle.com/en-us/iaas/jms/doc/java-download.html
• https://docs.oracle.com/en-us/iaas/jms/doc/script-friendly-download.html
• https://docs.oracle.com/en-us/iaas/jms/doc/download-local.html
• https://docs.oracle.com/en-us/iaas/jms/doc/java-dowload-policy-statements.html
• Details for the Java Management Service policy reference
• Oracle Cloud Infrastructure Documentation

Review these additional resources:

• Well-architected framework for Oracle Cloud Infrastructure
• https://blogs.oracle.com/java/post/java-download-now-available-on-oci (blog)
• https://blogs.oracle.com/java/post/oracle-java-releases-public-apis (blog)
• Oracle Cloud Cost Estimator

Acknowledgments

• Authors: Rajath Kamath
• Contributors: Atiq Ahamad