Sunday, August 26, 2012

Clarification on Oracle XE licensing - really free for any usage?

Since Oracle XE was initially released in January 2006 I believed there was no usage restriction whatsoever with regards to the type of application you could build with Oracle XE and especially in combination with Oracle Application Express (Oracle APEX).

Just recently a customer of mine was told by an Oracle sales rep in Germany that certain usage scenarios are not covered by the Oracle XE license and he therefore would have to purchase a regular Oracle (at least Standard One) license for that purpose.

This sales rep argued that once you build an application as a hosted solution storing customer data in this database, this is no longer covered by the XE license.

I was stunned and couldn't believe that. Then I had a close look at the official license agreement: http://www.oracle.com/technetwork/licenses/database-11g-express-license-459621.html

There I noticed that this usage scenario wasn't covered explicitly and I wasn't 100% sure any more. I have checked the forum again and there I saw, that these questions do come up once in a while, here are just a few examples:
https://forums.oracle.com/forums/thread.jspa?messageID=1454706&#1454706
https://forums.oracle.com/forums/thread.jspa?messageID=2775638&#2775638

Thus I decided to get some official statement from Oracle.

Oracle authorities from Database Product Management and Oracle Pricing responded to my request and confirmed that any application-specific usage of Oracle XE is covered by the license agreement and there is no usage related restriction imposed on Oracle XE.

I have explicitly asked for the following use cases:

1) A web application for the internal staff only: A calendaring application where one could record his times of absence. The application is reachable via the internet but protected by a login. Only the employees of the company running Oracle XE are allowed to access the application.

2) A web application used by everybody, no customer content stored in the database: This could be a company website which is built on Oracle XE / APEX. This application is reachable over the internet by everybody. Content is only provided by the company running Oracle XE.

3) A web application used by customers on their own data (no manipulation through website): This could be an application similar to the UPS or DHL tracking of parcels. Information is processed in other backend systems and published to Oracle XE to allow a customer to query for his/her own data.

4) Supporting a business process via a web application among several of my customers: This could be a portal allowing a customer to invite other parties to bid on a public project (like building a railroad track). This portal (built using Oracle APEX and Oracle XE) supports the communication between all parties and allows the upload / download of files with regard to specific parts of the bid.

5) A web application used by customers to provide services to others: This could be multi-tenant shop system where different customers open their own shop and upload their product catalogs in order to resell them to their own customers.

Aside from that you would still have to comply to all other elements of the license agreement: http://www.oracle.com/technetwork/licenses/database-11g-express-license-459621.html ,
i.e. you have to comply to the export restriction, your end customers would have to agree to the XE license agreement and so forth.

Cheers and enjoy Oracle XE and Oracle APEX!
~Dietmar.

10 comments:

John Scott said...

Dietmar,

Great breakdown - I have to say I'm a big fan of seeing licenses detailed in the type of use-cases you listed, rather than the 'lawyer-speak' that you typically see.

Hopefully the sort of use-cases you listed could be listed as part of an official XE FAQ since as you say there can be a lot of confusion around what is/isn't permitted.

Like you, I've heard some very incorrect statements made about the licensing so it's great to be able to point back at an official source.

John.

Dietmar Aust said...

Hi John,

thanks.

Yes, it is always difficult for me to understand the "lawyer speak" as well. And sometimes, even the "translations" aren't really helpful either ;).

>Hopefully the sort of use-cases you listed could be listed as part of an official
>XE FAQ since as you say there can be a lot of confusion around what is/isn't
> permitted.
Yes, I would hope for that but I am not sure this will actually happen.

I strongly believe that this is Oracle's duty to provide clarification on licensing questions/issues, even for a cost-free product.

Unfortunately, since Mark Townsend passed away, nobody official from Oracle seems to monitor the Oracle XE forum any more.

And yes, all clarifications should be added to the official Oracle licensing statement hosted on an official Oracle site.

This is what we have to shoot for.

Nevertheless the statement I have received is pretty clear, I have especially asked for a statement that I could post on my blog.

Cheers,
Dietmar.

Niall Mc Phillips said...

Thanks Dietmar. As a user of XE since its first release back in 2005, I find this blog post to be a very clear and useful synopsis of XE licensing.

Making XE freely available has greatly benefited Oracle, as it has allowed developers to choose Oracle over other free alternatives. Back in 2005 we were working on a project in Africa using open-source databases, and then OracleXE was released so we quickly changed direction and went live on 10gXE. The stability and robustness of Oracle was a key factor in this project becoming a success. It is still running in production today.

Developer adoption of XE is a win-win situation for Oracle - they get greater market share AND higher potential future revenue from upgrades to SE and EE.

All the best.
Niall.

Buzz Killington said...

The only problem I have with the XE product is that it doesn't get patched like any of the regular products.

If I'm using it on my own machine for prototyping..etc, not a huge concern. If I were to use that for a commercial app, the no patching thing would concern me.

What is your take on that?

Dietmar Aust said...

Hi Niall,

thanks for sharing.

And yes ... I have had similar experiences.

Cheers,
~Dietmar.

Dietmar Aust said...

Hi Buzz,

>If I'm using it on my own machine for prototyping..etc, not a huge
> concern. If I were to use that for a commercial app, the no
>patching thing would concern me.

I don't consider myself a security expert, you should rather adress this question to Niall Litchfield, Alexander Kornbrust or Anton Nielsen.

My take on that? Well, what does security mean anyway? You have different layers which can be attacked:
1) the http server
2) your apex application
3) the apex framework
4) the oracle database
5) the operating system

What would I recommend?
1)
- use a current Apache (this one can be hardened)
- use the APEX listener through AJP as a back-end for the Apache http server
- secure the APEX listener: http://krisrice.blogspot.de/2012/05/apex-listener-jdbcsecurity-setup.html
- use SSL
- lock down the ports, i.e. traffic to your machine is only allowed on port 443 (the default ssl port)

2)
- use session state protection
- don't trust anything being sent from the client
- take care of sql injection and cross site scripting attacks
- use a security checker for APEX like sumneva sert or http://www.recx.co.uk/apexsec-security-for-oracle-apex.php

3)
- install the apex runtime only version (no development)
- patch regularly to the latest APEX releases

4)
- lock down direct access to the Oracle XE database
- disable the XML DB http server
- use VPN setups or at least an ssh tunnel to access your database

5)
- never done that but many tools / tutorials available

In addition to that you could even add a web application firewall (waf) and hire a professional security expert trying to hack your site.


Looking at the different layers, typically YOUR OWN application is the weak spot.

Hope that helps,
~Dietmar.

Leonardo Campos said...

Hi.. thanks for your post, very helpfull.
However mi case is a little different and though i think i know the answer for my question i'd like to confirm it.

i'd like to build a solution for the gym business (not my gym) and i'd like to charge for the service (clients control, body conditions monitoring and paids basically)

my question might be a little silly but i'm starting as a developer and i'd like to build the application using apex+oracle XE.

So the question is: do i have to buy a licence for standard oracle database? is there any way i could do it without paying?

Thanks, and sorry about my english

Dietmar Aust said...

Hi Leonardo,

from my personal point of view your endavour is perfectly legal and wouldn't require a license from Oracle. The APEX listener doesn't require a separate license and comes with APEX. So once you would have a license for the Oracle database, you are all set.

And Oracle XE is free to use for your purpose. Just make sure to follow the XE license requirements, I believe you might have to add certain text from there for your customers (so that your customers accept Oracle's license agreement as well), just read it closely. But you won't need a license. If the limitations of XE are sufficient for you, you are all good to go.

Once again, this is no actual legal advice ... you cannot sue me for that ;).

Cheers,
~Dietmar.

Anonymous said...

Hi,

What kind of license restrictions would exist to use the headers (gimh.h/gimp.h) from the OracleXE edition to write commercial applications.

These are headers which describe the functions to check the database health.

When creating standalone programs one needs to links against "libdbtools11.a" and libclntsch.so

Thanks!

Dietmar Aust said...

Hi,

I am sorry but I cannot tell you the answer here ... highly specific question.

The only pointer I can give here is the list of all available features: http://docs.oracle.com/cd/E17781_01/license.112/e18068/toc.htm#BABJBGGA

Cheers,
~Dietmar.