IBM Guardium Cryptographic Manager (GCM) MCP Server - A Model Context Protocol server for interacting with IBM GCM’s cryptographic asset management platform.
This MCP server provides tools to interact with IBM Guardium Cryptographic Manager, enabling:
# Clone the repository
git clone <repository-url>
cd gcm-mcp-server
# Create .env file from example
cp env.example .env
# Edit .env with your GCM credentials
nano .env # or use your preferred editor
# Build the image
podman build -t gcm-mcp-server:latest .
# Run with volume mount for persistent key storage
podman run -d \
--name gcm-mcp-server \
-p 8002:8002 \
-v gcm-keys:/data \
--env-file .env \
gcm-mcp-server:latest
# Check if the server is running
podman logs gcm-mcp-server
# Verify health
curl http://localhost:8002/health
Expected health response:
{
"status": "ok",
"server": "GCM MCP Server",
"version": "1.0.0",
"transport": "sse",
"auth_required": true
}
The API key is required for Bob IDE to authenticate with the MCP server.
# Generate a new API key (must be run from within the running container or edit server.py on line 101 and add your machines ip)
curl -X POST http://localhost:8002/admin/keys \
-H "Content-Type: application/json" \
-d '{"user": "bob-ide-user"}'
Response:
{
"key": "gcm_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcd",
"user": "bob-ide-user",
"created": "2026-03-13T17:00:00Z",
"key_prefix": "gcm_1234"
}
Important: Save the key value - you’ll need it for Bob IDE configuration.
Bob IDE stores MCP server configurations in:
~/.bob/mcp_settings.json~/.bob/mcp_settings.json%USERPROFILE%\.bob\mcp_settings.jsonEdit the configuration file and add the GCM MCP server:
{
"mcpServers": {
"gcm-mcp-server": {
"url": "http://localhost:8002/sse",
"transport": "sse",
"headers": {
"Authorization": "Bearer gcm_1234567890abcdef1234567890abcdef1234567890abcdef1234567890abcd"
}
}
}
}
Replace the Bearer token with your actual API key from step 3.
After adding the configuration, restart Bob IDE to load the new MCP server.
add a new slash command name gcmapp via the chat window and add the following to the description
---
description: "this slash command will always use the gcm-mcp-server to execute commands"
---
When this slash command is executed, it will use the gcm-mcp-server to run the command and return the output.
In Bob IDE, you should now be able to use the /gcmmcp command to interact with GCM:
/gcmmcp Get a summary of all cryptographic assets
/gcmmcp List open tickets
/gcmmcp Show authentication status
The following file contains an extensive list to be used in Bob IDE GCM-MCP-EXAMPLE-PROMPTS.md
Create a .env file with the following variables:
# Required - GCM Server Connection
GCM_HOST=your-gcm-hostname.com
GCM_USERNAME=your_username
GCM_PASSWORD=your_password
GCM_CLIENT_SECRET=your_client_secret
# Optional - Ports (defaults shown)
GCM_API_PORT=31443
GCM_KEYCLOAK_PORT=30443
# Optional - Authentication
GCM_CLIENT_ID=gcmclient
GCM_AUTH_MODE=auto
# Optional - SSL & Timeouts
GCM_VERIFY_SSL=false
GCM_REQUEST_TIMEOUT=30
# Optional - MCP Server
GCM_MCP_KEY_STORE_PATH=/data/keys.json
GCM_LOG_LEVEL=INFO
The API keys are stored in /data/keys.json inside the container. To persist keys across container restarts, use a volume:
# Create a named volume
podman volume create gcm-keys
# Run with volume mount
podman run -d \
--name gcm-mcp-server \
-p 8002:8002 \
-v gcm-keys:/data \
--env-file .env \
gcm-mcp-server:latest
curl http://localhost:8002/admin/keys
Response:
{
"keys": [
{
"key_prefix": "gcm_1234",
"user": "bob-ide-user",
"created": "2026-03-13T17:00:00Z"
}
]
}
curl -X DELETE http://localhost:8002/admin/keys/gcm_1234
Note: Admin endpoints are only accessible from localhost for security.
The GCM MCP Server provides three main tools:
gcm_auth - Authentication ManagementManage GCM authentication sessions.
Actions:
login - Authenticate with GCMlogout - End current sessionstatus - Check authentication statusrefresh - Refresh authentication tokengcm_api - API OperationsExecute any GCM API operation.
Parameters:
service - Service name (e.g., “assetinventory”, “tde”, “clm”)operation - Operation to perform (e.g., “assets.list_certificates”)method - HTTP method (GET, POST, PUT, DELETE)endpoint - Direct API endpoint pathbody - Request body (for POST/PUT)params - Query parametersgcm_discover - Service DiscoveryDiscover available GCM services and endpoints.
Categories:
services - List all available servicesendpoints - List endpoints for a specific service# Follow logs in real-time
podman logs -f gcm-mcp-server
# View last 100 lines
podman logs --tail 100 gcm-mcp-server
podman stop gcm-mcp-server
podman start gcm-mcp-server
podman rm -f gcm-mcp-server
# Stop and remove existing container
podman rm -f gcm-mcp-server
# Rebuild image
podman build -t gcm-mcp-server:latest .
# Run new container
podman run -d \
--name gcm-mcp-server \
-p 8002:8002 \
-v gcm-keys:/data \
--env-file .env \
gcm-mcp-server:latest
# Create virtual environment
python -m venv venv
source venv/bin/activate # On Windows: venv\Scripts\activate
# Install dependencies
pip install -r requirements.txt
# SSE mode (for Bob IDE)
python -m src.server --transport sse --host 0.0.0.0 --port 8002
# Stdio mode (for local testing)
python -m src.server
# Check container logs
podman logs gcm-mcp-server
# Verify .env file is present and correct
cat .env
# Test GCM connectivity
curl -k https://your-gcm-host:31443/health
curl http://localhost:8002/health
curl http://localhost:8002/admin/keys
~/.bob/mcp_settings.json existshttp://localhost:8002/sse# On Linux/macOS
sudo lsof -i :8002
# On Windows
netstat -ano | findstr :8002
podman exec gcm-mcp-server cat .env
curl -X POST http://localhost:8002/admin/test-auth
curl -k https://your-gcm-host:31443/health
curl from the same machine running the container/data/keys.jsonGCM_VERIFY_SSL=true in production.env file to version control--network host for production deploymentsFor issues, questions, or contributions:
podman logs gcm-mcp-servercurl http://localhost:8002/health