MCP server

The OpenText Analytics Database MCP server is a secure, JWT-authenticated server that implements Model Context Protocol (MCP) for database interactions between your database and AI agents.

The OpenText™ Analytics Database MCP server is a secure, JWT-authenticated server that implements Model Context Protocol (MCP) for database interactions between your database and AI agents. It provides a tool for executing queries, managing job queues, and interacting with the database through APIs.

Prerequisites

System requirements

  • Operating System: Linux (Ubuntu/RHEL/CentOS)
  • OpenText™ Analytics Database: Already running and accessible
  • SSL Certificates: Valid server certificates for HTTPS
  • VCluster Web Service running: required for retrieving nodes, info, and so forth. Starting the MCP server starts the VCluster Web Service if you use the default configuration.

Network requirements

The following ports must be accessible through the firewall:

  • 8667: Default port for MCP server. Must be open for HTTPS connection.
  • 8665: Default for VCluster services.
  • 5443: Database port.

Database access

  • Valid database credentials.
  • Database user with appropriate permissions to execute intended queries.
  • Network connectivity to the database server.

Required files and directories

Ensure the following files and directories exist before starting the MCP server:

  • SSL Certificate (default location: /opt/vertica/config/vcluster_server/):
    • server.pem
    • server.key
    • rootca.pem
  • Configuration Directory (this is auto-created if it is missing):
    • /opt/vertica/config/
    • /opt/vertica/config/mcp_server/
  • Log Directory (this is auto-created if it is missing):
    • /opt/vertica/log/

Starting the MCP server

There are three methods to start the MCP server: with the default configuration, with a custom configuration file, or you can override the default config with Environment Variables.

Starting the MCP server with the default configuration

Run the following command to start the MCP server with default settings:

/opt/vertica/bin/manage_vcluster_server start

This starts both the MCP server and VCluster server.

To start only the MCP server:

/opt/vertica/bin/manage_vcluster_server start mcp_server

Starting the MCP server with a custom configuration file

./mcp_server --config /path_to_custom_config.yaml

Overriding the default config with Environment Variables

You can set environment variables to override default configuration settings. For example:

export MCP_SERVER_ADDR=":8667"
export MCP_LOG_DIR="/var/log/mcp"
export VERTICA_HOST="192.168.1.100"
export VERTICA_PORT="5434"
./mcp_server

Log files for the MCP server are located by default at /opt/vertica/log/mcp_server.log and /opt/vertica/log/mcp_audit.log.

Obtaining JWT tokens

After starting the MCP server, JWT tokens are required for authentication. Each token contains encrypted database credentials and user information. You can either use the interactive generator to create tokens or input parameters in the command line.

Generating a token using the interactive generator

Run:

./mcp_server --generate-token

The following are the prompts (with example inputs):

Enter user ID: dbadmin
Enter database name: mydb
Enter password: ********
Enter description (optional): Database Administrator
Enter expiration days (default 365): 365

Generating a token using command line inputs

Run (with all parameters specified):

./mcp_server --generate-token \
  --userid dbadmin \
  --dbname mydb \
  --dbpass mypassword \
  --description "Data Analyst" \
  --expiration-days 90

Token output

Regardless of the method used, the output will be a JWT token string that can be used for authenticating requests to the MCP server:

Generated JWT Token:
eyJhbGciOiJIUzI1NiIsInR5cCI6IkpXVCJ9.eyJ1c2VyaWQiOiJkYmFkbWluIiwiZGJfbmFtZSI6Im15ZGIiLCJwYXNzd29yZCI6ImVuY3J5cHRlZF9wYXNzd29yZCIsImlhdCI6MTczMjI0MzYzMSwibmJmIjoxNzMyMjQzNjMxLCJleHAiOjE3NjM3Nzk2MzF9.abc123...

Client added to /opt/vertica/config/mcp_server/client.yaml
Status: active

Tokens are stored in /opt/vertica/config/mcp_server/client.yaml and you can manage them there.

Token security best practices

  • Use short expiration times for sensitive environments (30-90 days)
  • Store tokens securely - treat them like passwords
  • Never commit tokens to version control
  • Rotate tokens regularly - regenerate before expiration
  • Use HTTPS only - never send tokens over unencrypted connections
  • Monitor audit logs - review authentication attempts

In this section