Ibmz

STDIOregistry active

Summary

Bridges Claude to IBM Z mainframes through two distinct paths: Key Protect for HSM-backed encryption (FIPS 140-2 Level 3) and z/OS Connect for calling CICS, IMS, and batch programs via REST. On the crypto side, you get envelope encryption workflows like wrapping DEKs with root keys that never leave the hardware, plus rotation and policy management. On the mainframe side, it translates JSON to COBOL copybooks so you can invoke legacy programs without touching JCL. Useful when you need Claude to orchestrate key lifecycles in regulated environments or interact with core banking and transaction systems that still run on Big Iron. Requires IBM Cloud credentials for Key Protect and mainframe auth for z/OS Connect.

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

ibmz-mcp-server

[!License: MIT](https://opensource.org/licenses/MIT) [!MCP](https://modelcontextprotocol.io) [!npm](https://www.npmjs.com/package/ibmz-mcp-server)

MCP server for IBM Z mainframe integration. Provides HSM-backed key management via IBM Key Protect (FIPS 140-2 Level 3) and REST API access to mainframe programs (CICS, IMS, batch) via z/OS Connect.

Tools (12 total)

Key Protect -- HSM Key Management

Tool	Description
`key_protect_list_keys`	List encryption keys in Key Protect
`key_protect_create_key`	Create root or standard keys
`key_protect_get_key`	Get key details and metadata
`key_protect_wrap_key`	Wrap (encrypt) a DEK with a root key
`key_protect_unwrap_key`	Unwrap (decrypt) a wrapped DEK
`key_protect_rotate_key`	Rotate a root key
`key_protect_delete_key`	Delete a key (irreversible)
`key_protect_get_key_policies`	Get rotation and dual-auth policies

z/OS Connect -- Mainframe Integration

Tool	Description
`zos_connect_list_services`	List available mainframe services
`zos_connect_get_service`	Get service details and OpenAPI spec
`zos_connect_call_service`	Call a mainframe program via REST (JSON to COBOL)
`zos_connect_list_apis`	List outbound API configurations
`zos_connect_health`	Check z/OS Connect server health

Install

npm install

Configuration

{
  "mcpServers": {
    "ibmz": {
      "type": "stdio",
      "command": "node",
      "args": ["/path/to/ibmz-mcp-server/index.js"],
      "env": {
        "IBM_CLOUD_API_KEY": "your-api-key",
        "KEY_PROTECT_INSTANCE_ID": "your-instance-id",
        "KEY_PROTECT_URL": "https://us-south.kms.cloud.ibm.com"
      }
    }
  }
}

Environment Variables

Variable	Description	Required
`IBM_CLOUD_API_KEY`	IBM Cloud API key	Yes (Key Protect)
`KEY_PROTECT_INSTANCE_ID`	Key Protect instance OCID	Yes (Key Protect)
`KEY_PROTECT_URL`	Key Protect endpoint	No (defaults to us-south)
`ZOS_CONNECT_URL`	z/OS Connect base URL	Yes (z/OS Connect)
`ZOS_CONNECT_USERNAME`	Mainframe username	Yes (z/OS Connect)
`ZOS_CONNECT_PASSWORD`	Mainframe password	Yes (z/OS Connect)

Key Concepts

Envelope Encryption

Root keys (KEK) are stored in the HSM and never leave the hardware. Data encryption keys (DEK) are wrapped by root keys for safe storage alongside ciphertext.

z/OS Connect

REST APIs that automatically map JSON payloads to COBOL copybooks, enabling access to CICS transactions, IMS programs, and batch jobs.

Dependencies

@modelcontextprotocol/sdk -- MCP protocol SDK
@ibm-cloud/ibm-key-protect -- Key Protect client
ibm-cloud-sdk-core -- IBM Cloud authentication

License

MIT

Featured

CodeRabbit

AI writes the code. CodeRabbit catches the slop.

Try For Free →

Keep your Mac awake

Keep your Mac awake while Claude Code and 40+ AI agents run. Sleeps when they're idle.

One time payment $9 →

Context.dev

Integrate web data into your AI product. One API to scrape website & brand data.

Get API Key Now →

Make your agent a DeFi expert

Agent, run crypto. Access onchain data & trade routes via 1inch.

Install now →

Make money from your Skills

On Capafy, your Skill runs online 24/7 as an agent product, and you get paid every time someone uses it.

Start earning →

AppSignal

Monitor with ease. Code with confidence.

Start Free Trial →

Registryactive

Packageibmz-mcp-server

TransportSTDIO

UpdatedFeb 14, 2026

View on GitHub

ibmz-mcp-server

MCP server for IBM Z mainframe integration. Provides HSM-backed key management via IBM Key Protect (FIPS 140-2 Level 3) and REST API access to mainframe programs (CICS, IMS, batch) via z/OS Connect.

Tools (12 total)

Key Protect -- HSM Key Management

Tool

Description

key_protect_list_keys

List encryption keys in Key Protect

key_protect_create_key

Create root or standard keys

key_protect_get_key

Get key details and metadata

key_protect_wrap_key

Wrap (encrypt) a DEK with a root key

key_protect_unwrap_key

Unwrap (decrypt) a wrapped DEK

key_protect_rotate_key

Rotate a root key

key_protect_delete_key

Delete a key (irreversible)

key_protect_get_key_policies

Get rotation and dual-auth policies

z/OS Connect -- Mainframe Integration

Tool

Description

zos_connect_list_services

List available mainframe services

zos_connect_get_service

Get service details and OpenAPI spec

zos_connect_call_service

Call a mainframe program via REST (JSON to COBOL)

zos_connect_list_apis

List outbound API configurations

zos_connect_health

Check z/OS Connect server health

Configuration

{ "mcpServers": { "ibmz": { "type": "stdio", "command": "node", "args": ["/path/to/ibmz-mcp-server/index.js"], "env": { "IBM_CLOUD_API_KEY": "your-api-key", "KEY_PROTECT_INSTANCE_ID": "your-instance-id", "KEY_PROTECT_URL": "https://us-south.kms.cloud.ibm.com" } } } }

Environment Variables

Variable

Description

Required

IBM_CLOUD_API_KEY

IBM Cloud API key

Yes (Key Protect)

KEY_PROTECT_INSTANCE_ID

Key Protect instance OCID

Yes (Key Protect)

KEY_PROTECT_URL

Key Protect endpoint

No (defaults to us-south)

ZOS_CONNECT_URL

z/OS Connect base URL

Yes (z/OS Connect)

ZOS_CONNECT_USERNAME

Mainframe username

Yes (z/OS Connect)

ZOS_CONNECT_PASSWORD

Mainframe password

Yes (z/OS Connect)

Key Concepts

Envelope Encryption

Root keys (KEK) are stored in the HSM and never leave the hardware. Data encryption keys (DEK) are wrapped by root keys for safe storage alongside ciphertext.

z/OS Connect

REST APIs that automatically map JSON payloads to COBOL copybooks, enabling access to CICS transactions, IMS programs, and batch jobs.