madora audit guide002madora.co.uk/wp-content/uploads/2014/12/madora-audit-guide-03.pdf · a true...
TRANSCRIPT
Licence Audit
1
Understand the process and minimise your exposure
2
The Oracle
The Madora Consulting e-‐Guide Series
Welcome to The Oracle Audit e-‐Guide from Madora Consulting.
The aim of this E-‐book is to take you through the Oracle License Management Service (LMS) auditing process so that you understand what Oracle is trying to achieve, what will be asked of you, how you should respond to Oracle and how to prepare for the results.
A true audit is when the contractual right to audit clause in your Oracle contract is invoked
Introduction
1
Often we talk to Oracle Users when they have either been audited or have been recently approached by Oracle for an audit; unfortunately there is a lot of misunderstanding about the actual term ‘audit’. The majority of end users we speak to or partners we work with are in fact referring to an Oracle review. The problem is that for many end users they think they are the same thing, but they are not.
A true audit is when the contractual right to audit clause in your Oracle contract is invoked; this is not the same thing as a request from Oracle to “review your licences” or to “help you optimise” them.
You can find the audit clause in your Oracle Licence and Services Agreements (OLSA) and the newer Oracle Master Agreements (OMA). Here the licence agreement gives Oracle the right upon generally 45 days’ notice to request access to your systems where its products are installed. If after
2
Oracle investigates you are found to be under-‐licensed then you are required to purchase licences to make up the shortfall without the discounts you may have been used to and possibly with the addition of back support. This un-‐budgeted spend can be a major dent in finances and usually elicits a pretty negative response from Oracle customers.
However many so called Oracle ‘audits’ are really Oracle reviews in disguise. These Oracle ‘Audit’ imitators could be licence reviews instigated by Sales or in collaboration with Customer Optimisation License Services (COLS), part of the UK Sales Organisation.
Oracle may well present the review as an opportunity to confirm your current licenses and understand ways to optimise your licence position.
What is an Audit?
“
1
But let’s not kid ourselves; the focus is on revenue generation. Optimisation rarely means a reduction in licence or support fees. Do you know of any cases where COLS have engaged and reduced licence or support fees, without new spend? We would love to hear from you if you do.
The key point to remember is that if Oracle makes any inquiries about your licence position, unless they explicitly provide in a letter, you can assume it is not an audit. In other words you are not contractually obliged to cooperate with Oracle in these non-‐contract instigated reviews.
If you do get approached, our advice is to proceed with caution and provide no information until you have taken expert advice, and of course read this eGuide.
However we do recommend you are cooperative and keep an open dialogue with Oracle. See our blog Oracle is from Mars Customers are from Venus to understand what makes Oracle tick.
If you suspect you may be under-‐licensed bring in a third party to support you and quickly investigate your level of risk.
Do not fill out the Oracle Server worksheet unless you fully understand what is required of you and know that you are accurately filling it in. Any information provided that is
2
incomplete, vague or incorrect will draw more attention and scrutiny.
If you think you may have an issue, seek independent third party advice to help you to understand the full financial impact and also the possible process to mitigate the exposure.
Madora can help here, a free, no obligation and confidential call can often help you understand your situation better and diffuse the stress and concern you may have. Oracle understands the process can take some time so do not feel under pressure to respond straight away. You have time to seek advice. Madora have been through the process many, many times so allow us to advise you on when and what to communicate.
In summary, do insist that any request is stated via a letter/email and check if the contractual right to audit clause is referenced.
If you are not sure ask Oracle directly whether this is an actual audit.
If it isn’t then decide if you wish to proceed with an Oracle review. Our advice is that carrying out a review can actually be a good thing to get your house in order, but do so with the knowledge and know how, to be empowered when dealing with Oracle.
Either way a quick call with Madora will set you in good stead.
insist that any request is stated via a letter and check the contractual right to audit clause is referenced.
3
“
A true audit is when the contractual right to audit clause in your Oracle contract is invoked.
What is the Oracle Audit Process?
1
You may not have been officially audited by Oracle, but you will be at some time. This section takes you through the process that LMS will follow and gives you more information about their tools such as the LMS scripts, what they are, how they will be used and why you are being asked to run them.
It is intended we will answer the following questions;
• Why am I doing this?
• Why do the scripts exist?
• What do the scripts do?
• How are the scripts provided?
• Where are they run?
• What do I do with the output?
• What happens next?
• What are the common pitfalls and questions?
• Resolution
Why am I doing this?
If you are reading this document, it is likely Oracle will have requested that a licence review be carried out on your Oracle estate. You will have signed up to this
2
right when you accepted the terms of the Oracle Licensing and Software Agreement (OLSA). Oracle will expect you to assist them in this review within 45 days of their initial notification to you. You will also have agreed to reasonable cooperation and to resolve any licensing shortfall that may be discovered within 30 days of receiving the licence review report.
Why do the scripts exist?
Oracle software is a complex suite of products and in order to give the correct view of your software usage Oracle provides a set of scripts from its Licence Management Service (LMS) for this purpose. The various scripts produce information in the correct format for loading into Oracle's analysis tools.
What do the scripts do?
There are several groups of scripts but the most usual are the Database, Middleware and the E-‐business Suite (EBS) scripts; these cover the vast majority of licence reviews in the UK.
“
3
Here is a brief summary of what they measure:
Database
• Database and options details including installation and usage.
• OEM option packs and Grid control.
• CPU processor details, cores and sockets.
Middleware
OAS
• Oracle Application Server products such as Internet Application Server (IAS).
• Information about the server.
E-‐Business Suite
• Information on users, responsibilities, applications and security groups from the FND tables
• Usage information such as order lines, expense reports etc.
• Any changes that have been made to the Applications database schema e.g. tables, views, reports etc.
See Appendix A for a full list and summary details of the above.
How are the scripts provided?
The scripts are packaged in a
4
Windows .ZIP file with separate Database, Middleware and Applications subfolders. The folder contents are detailed in Appendix A. The scripts are generally emailed to you; if your e-‐mail system blocks zipped files then inform Oracle or their JPE Partner.
Where are they run?
The Database scripts are run against every database server and the ReviewLite script is run against every database instance on every database server.
The Middleware scripts are run against every middleware server as applicable.
The E-‐Business scripts are run against the applications schema on the appropriate database server.
What do I do with the output?
The LMS scripts produce a mixture of text files and tar files and these will need to be sent to Oracle or the third party JPE Partner. This is usually achieved by either emailing as attachments if small enough, uploading onto the Oracle FTP site or producing a DVD and shipping this to Oracle or the third party JPE Partner, if there is a large amount of
5
data.
Details of the secure FTP site will be sent to you on request and are often provided with the instructions.
For the Oracle FTP site you will need to set up a Single Sign On (SSO) Account and
The LMS scripts produce a mixture of text files and tar files
“
Your data will be sent to Oracle's centralised processing unit in Europe.
6
details of how to do this will be included in the instructions.
What happens next?
Your data will be sent to Oracle's centralised processing unit in Europe. A first analysis is returned to Oracle or their JPE Partner where it is checked along with any questions which Oracle has asked based on what they have found so far. This means that there could be one or more rounds of questions to drill down into particular areas. In order to minimise any to-‐ing and fro-‐ing the following section contains some common questions and reasons for revisiting the details.
The final output from Oracle or their JPE Partner is a report identifying your licensing position which has been agreed with Oracle LMS. This report will then be presented to you for agreement.
1
What are the common pitfalls and questions?
As mentioned above there are a number of regular questions that LMS will ask during a review. These include:
Are you using diagnostics, tuning or any of the other OEM Packs?
• There is a setting that can
2
be set to “none, one or both” and the default position on installation is both. This does not mean they are necessarily in use but does require Oracle to ask the question.
Are you using the database Spatial option or Locator?
• Oracle can tell that either Spatial or Locator is in use but not which one; Spatial is an extra cost option, Locator is not.
Do you have licences for Internet Developer Suite (IDS) and Programmer and how many users do you have of each?
• If you are an EBS customer it is most likely that you have customisations made to the basic product. In this case you will require at least one Named User of both IDS and Programmer.
If you are using a form of server virtualization
• Oracle requires proof of the virtual to physical mapping; i.e. in the case of VMware and OracleVM they request screenshots which show this mapping for all servers/clusters.
“
3
There may be implications particularly with later versions of VMWare as every physical host which has access to shared storage may need to be licensed for the Oracle products, regardless of where they are installed and used.
The following are examples of configurations which may cause problems and care needs to be taken when implementing these, Oracle may ask for more information during a review:
• Use of a SAN or other shared storage
• External clusters or servers accessing the same storage
• Use of VShere which virtually links internal disks and replicates a virtual SAN
• VMotion version 5.1 which allows you to take a virtual machine and migrate it across a cluster
Resolution
You've reached the point where Oracle has provided you with a report of its findings. It is quite likely that you've already had preview of what is coming based on the discussion with Oracle over the previous weeks or months. Once Oracle is satisfied that it has covered all of the areas to be examined it will finally settle on a formal position which it will then present in
If you are using a form of server virtualisation then Oracle requires proof of the virtual to physical mapping.
“
4
monetrary terms also.
At this stage Oracle LMS will brief your account manager who will “help you” overcome any shortfall. This is where the fun starts!
It is important to understand what motivates the various players in this situation.
Oracle LMS has an overt remit to protect Oracle's support revenue stream by ensuring correct licensing by its clients.
Oracle sales is incentivised to sell new licences and does not focus on supporting long-‐term support revenue. They will of course be looking for a speedy commercial resolution.
It can sound like you are getting mixed messages. Oracle LMS may talk of the need to backdate support for any under licensed products. This could be as far back as three years. All back support will be quoted at 150% of support fees for each year. Now that can be a big number but don’t panic. Oracle are trying to inflate the non compliance if there is one, to as large as possible so that they can appear to give a lot when negotiating.
The reality is that the sales team and their management are more focused on new licence revenue and in every instance we are aware of the back support was waived. This is an easy thing for them
5
to do, so do not concede too much on this.
If you have been accidentally using product which you have no interest in using in the
6
future, you can simply cover a backward shortfall by purchasing a term licence for the usage term in question. Term licences are obtainable from 1 to 5 years at a reduced price from the normal licence; however support is still 22% of the full price per annum.
If you have to spend money on licences it makes far more sense to spend it on new licences moving forwards, ones which will add value to your business.
You will find your Oracle account manager far more interested in selling you new licences as they will be looking to position the purchase as value add to your business rather than perceived as a ‘fine’.
It is important to work with the Sales Rep as really this is your leverage. Park the fact it may be non-‐compliance for now and work as if it was a net purchase and negotiate hard. Oracle will say that your price holds and previous agreed discounts don’t apply. Push through this and play hard. You still have time on your side. Oracle will be looking for a quick commercial pay off, timing and quarter ends can make a difference to negotiating a better discount.
Beware though of purchasing product you do not understand or can’t see any use for. Apply the usual
During this phase you will get far more value by engaging independent specialists to aid you in your negotiations
“
7
scepticism. We have seen many well balanced negotiations which ended in clients purchasing useful product which added value to their future architectures rather than throwing good money after bad in resolving a licence shortfall.
During this phase you will get far more value by engaging independent specialists to aid you in your negotiations and to assess Oracle's offers, we have been there many times.
1
APPENDIX A – LMS script details.
Database
File Name Type Purpose
CPU Queries Instructions
.pdf Instructions on running lms_cpuq.sh
lms_cpuq Window NT command script
The attached scripts cover the following operating systems: Windows, Novell Netware, Sun Solaris, IBM AIX, HP UX, Linux and Dec Alpha AXP. The script will detect the operating system running on the server where it is called and the appropriate command is executed to gather server information
lms_cpuq SH file The attached scripts cover the following operating systems: Windows, Novell Netware, Sun Solaris, IBM AIX, HP UX, Linux and Dec Alpha AXP. The script will detect the operating system running on the server where it is called and the appropriate command is executed to gather server information
2
ReviewLite14.2.0 SQL file This script checks * Database version installed * Database CPU number * Stand by server name (if is installed on OEE) Also checks for the options installed and confirms if options are being used: * OLAP * SPATIAL * PARTITIONING * RAC (Real Application Clusters) * LABEL SECURITY * OEM (Oracle Enterprise Manager) PACKS * DATA MINING * AUDIT VAULT * DATABASE VAULT * CONTENT DATABASE * RECORDS DATABASE * ADVANCED SECURITY * ACTIVE DATA GUARD * ADVANCED COMPRESSION
ReviewLite14.2 .pdf Instructions
Middleware OAS File Name Type Purpose
OAS-‐usage-‐measurement-‐script-‐instructions
.pdf Oracle Application Server (OAS) Usage Measurement Script Instructions
oas-‐script-‐unix-‐v12_4
lms_cpuq SH file this script is used to gather Operating System information for use by the Oracle LMS team
oas_query_v12_4 SH file this script gathers information about installed Oracle AS products
oas-‐script-‐windows-‐v12_4
lms_cpuq.cm_ CM file this script is used to gather Windows Operating System information for use by the Oracle LMS team
oas_query_v12_4.cm_ CM file this script gathers information about installed Oracle AS products
3
oam_search.cm_ CM file Looks for OAM files
E-‐Business Suite (EBS) UNIX File Name Type Purpose
2_LMS_EBS_Exp_Tool_INSTRUCTIONS
.pdf Oracle E-‐Business Suite Export Tool Instructions for UNIX Operating Systems
lms_esb_exp_tool .tar EBS scripts for Unix
apps_ddl SQL file
THIS SCRIPT CHECKS FOR DDL CHANGES IN THE DATABASE
expapps .dat
expapps_checkver
.dat
expapps_loginresp
.dat
expapps_loginv8resp
.dat
expapps_logins .dat
expapps_loginsv8
.dat
expapps_WF .dat
expapps_WFv8 .dat
expicx
.dat
license_agreement
.txt Script usage licence
lms_ebs_exp .sh Agree to script usage licence agreement
4
usage_based SQL file
This script checks usage based products of E-‐Business Suite (Versions 11 and 12)
Enhancement to OEEL_11i, HR_E, HR_P, HR_Types, Removed iSupplier Portal.
Removed: OE_10.7, OEEL_10.7, OEEO (all versions), iReceivables
E-‐Business Suite (EBS) Windows File Name Type Purpose
expapps_win fndnt .bat fndnt.bat (Original is fndnt.rename_to_bat)
This script exports the FND tables used in the LMS measurement process. The following tables are exported:
• FND_LOGINS • FND_LOGIN_RESPONSIBILITIES • FND_USER • FND_APPLICATION_TL • FND_APPLICATION • FND_RESPONSIBILITY_TL • FND_RESPONSIBILITY • FND_PRODUCT_INSTALLATIONS • FND_USER_RESPONSIBILITY • RND_USER_RESP_GROUPS • FND_SECURITY_GROUPS • WF_LOCAL_USER_ROLES
expapps .dat TABLES=(FND_USER, FND_USER_RESPONSIBILITY, FND_USER_RESP_GROUPS, FND_SECURITY_GROUPS, FND_APPLICATION, FND_APPLICATION_TL, FND_RESPONSIBILITY, FND_RESPONSIBILITY_TL, FND_PRODUCT_INSTALLATIONS)
5
expapps_logins .dat TABLES=(FND_LOGINS, FND_LOGIN_RESPONSIBILITIES)
expapps_loginsv8 .dat TABLES=(FND_LOGINS, FND_LOGIN_RESPONSIBILITIES)
expapps_WF .dat TABLES=(WF_LOCAL_USER_ROLES) QUERY="WHERE ROLE_ORIG_SYSTEM = 'FND_RESP'"
expapps_WFv8 .dat TABLES=(WF_LOCAL_USER_ROLES)
expicx .dat TABLES=(icx_sessions)
usage_based SQL file
This script checks usage based products of E-‐Business Suite (Versions 11 and 12)
Enhancement to OEEL_11i, HR_E, HR_P, HR_Types, Removed iSupplier Portal.
Removed: OE_10.7, OEEL_10.7, OEEO (all versions), Suite (Versions 11 and 12)
Enhancement to OEEL_11i, HR_E, HR_P, HR_Types, Removed iSupplier Portal.
Removed: OE_10.7, OEEL_10.7, OEEO (all versions), iReceivables
apps_ddl SQL file
THIS SCRIPT CHECKS FOR DDL CHANGES IN THE DATABASE
1_Enabling_Audit_Function .doc Instructions
2_Export_Windows .doc Instructions
About Madora Consulting
Madora Consulting was founded to provide Oracle licence know how to organisations operating within the Oracle ecosystem. Our clients include; asset management vendors, software discovery tool vendors, resellers and end users. With over thirty years of Oracle experience, Madora endeavour to share their knowledge to reduce risks, costs and the complexity associated with Oracle Licensing. Operating from the UK, but with global reach, Madora provide expert Advice, Training, Project Management and Assurance Services remotely or on-‐site.
P: +44 (0) 1298-27160 E: [email protected] W: madora.co.uk
Madora Consulting
Culvert Farm, Quarnford, Buxton, SK17 0SR. UK P: +44 (0) 1298-27160 E: [email protected]
21
1
Keith
2
Jane Kay
1
Charles
2
Are you under threat of an Audit?
If you are under threat of an Audit or if an Oracle Audit is in flight we can help. You have a number of options and can vary between these two extremes: A light touch advisory service where Madora will be in support, helping you through the process and providing validation of any Oracle feedback. Or a detailed compliance licence review on your behalf so you have all the required information to challenge any data or assumptions provided by Oracle. We can then work with you to manage Oracle and reduce any legal and financial exposure. Visit our web site Madora.co.uk for more information