MCP server
The OpenText™ Analytics Database MCP server is a secure, JWT-authenticated server that implements Model Context Protocol (MCP) for database interactions between your database and AI agents. It provides a tool for executing queries, managing job queues, and interacting with the database through APIs.
Prerequisites
System requirements
- Operating System: Linux (Ubuntu/RHEL/CentOS).
- OpenText™ Analytics Database: Already running and accessible.
- VCluster Web Service running: required to retrieve node and cluster information. When using the default configuration, starting the MCP server automatically starts the VCluster Web Service.
Note
The MCP server is not supported on Kubernetes in the 26.1 release, but will be supported in later releases.Network requirements
The following ports must be accessible through the firewall:
- 8667: Default port for MCP server. Must be open for HTTPS connection.
- 8665: Default for VCluster services.
Database access
- Valid database credentials.
- Database user with appropriate permissions to execute intended queries.
- Network connectivity to the database server.
Required files and directories
Ensure the following files and directories exist before starting the MCP server:
- SSL Certificate (default location:
/opt/vertica/config/vcluster_server/):server.pemserver.keyrootca.pem
- Configuration Directory (this is auto-created if it is missing):
/opt/vertica/config//opt/vertica/config/mcp_server/
- Log Directory (this is auto-created if it is missing):
/opt/vertica/log/
Starting the MCP server
Run the following command to start the MCP server:
/opt/vertica/bin/manage_vcluster_server start
This starts both the MCP server and VCluster server.
To start only the MCP server:
/opt/vertica/bin/manage_vcluster_server start mcp_server
Note
You can customize your MCP server configuration by editing/opt/vertica/config/mcp_server.yaml.
Log files for the MCP server are located by default at /opt/vertica/log/mcp_server.log and /opt/vertica/log/mcp_audit.log.
Obtaining JWT tokens
After starting the MCP server, JWT tokens are required for authentication. Each token contains encrypted database credentials and user information. You can either use the interactive generator to create tokens or input parameters in the command line.
Generating a token using the interactive generator
Run:
/opt/vertica/bin/vertica_mcp_server --generate-token
The following are the prompts (with example inputs):
Enter user ID: dbadmin
Enter database name: mydb
Enter password: ********
Enter description (optional): Database Administrator
Enter expiration days (default 365): 365
Generating a token using command line inputs
Run (with all parameters specified):
./mcp_server --generate-token \
--userid dbadmin \
--dbname mydb \
--dbpass mypassword \
--description "Data Analyst" \
--expiration-days 90
Token output
Regardless of the method used, the output will be a JWT token string that can be used for authenticating requests to the MCP server:
Generated JWT Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiJkYmFkbWluIiwiZGJfbmFtZSI6Im15ZGIiLCJwYXNzd29yZCI6ImVuY3J5cHRlZF9wYXNzd29yZCIsImlhdCI6MTczMjI0MzYzMSwibmJmIjoxNzMyMjQzNjMxLCJleHAiOjE3NjM3Nzk2MzF9.abc123...
Client added to /opt/vertica/config/mcp_server/client.yaml
Status: active
Token signatures are stored in /opt/vertica/config/mcp_server/client.yaml and you can manage them there.
Token security best practices
- Use short expiration times for sensitive environments (30-90 days).
- Store tokens securely - treat them like passwords.
- Never commit tokens to version control.
- Rotate tokens regularly - regenerate before expiration.
- Use HTTPS only - never send tokens over unencrypted connections.
- Monitor audit logs - review authentication attempts.