// MCP TOOL REFERENCE

IBMZ TOOLS

13 tools from the Ibmz MCP Server, categorised by risk level.

View the Ibmz policy →

READ TOOLS

3
key_protect_get_key Get metadata and details of a specific key from IBM Key Protect key_protect_get_key_policies Get policies applied to a key (rotation, dual authorization) key_protect_list_keys List encryption keys from IBM Key Protect (HSM-backed on IBM Z infrastructure, FIPS 140-2 Level 3 certified)

WRITE TOOLS

9
key_protect_create_key Create a new encryption key in IBM Key Protect HSM. Root keys protect other keys (envelope encryption). Standard keys encrypt data directly. 3/5 key_protect_rotate_key Rotate a root key. Creates new key version while maintaining ability to unwrap data encrypted with previous versions. 2/5 key_protect_unwrap_key Unwrap (decrypt) a wrapped data encryption key using a root key 2/5 key_protect_wrap_key Wrap (encrypt) a data encryption key using a root key. Used for envelope encryption - protects DEKs with a KEK stored in HSM. 2/5 zos_connect_call_service Call a z/OS Connect REST API to interact with mainframe programs. Maps JSON to COBOL copybooks automatically. 2/5 zos_connect_get_service Get detailed information about a z/OS Connect service including its OpenAPI specification and endpoint mappings 2/5 zos_connect_health Check the health status of the z/OS Connect server and connected subsystems 2/5 zos_connect_list_apis List all deployed API requester configurations (outbound calls from z/OS to external services) 2/5 zos_connect_list_services List all available z/OS Connect services (REST APIs exposing mainframe programs). Each service maps to CICS transactions, IMS programs, or batch jobs. 2/5

DESTRUCTIVE TOOLS

1
key_protect_delete_key Delete a key from IBM Key Protect. WARNING: This is irreversible and data encrypted with this key becomes unrecoverable. 4/5
// FAQ
How many tools does the Ibmz MCP server have? +

The Ibmz MCP server exposes 13 tools across 3 categories: Read, Write, Destructive.

How do I enforce policies on Ibmz tools? +

Use Intercept, the open-source MCP proxy. Write YAML rules for each tool — rate limits, argument validation, or deny rules — then run Intercept in front of the Ibmz server.

What risk categories do Ibmz tools fall into? +

Ibmz tools are categorised as Read (3), Write (9), Destructive (1). Each category has a recommended default policy.

Enforce policies on Ibmz

Open source. One binary. Zero dependencies.

npx -y @policylayer/intercept
github.com/policylayer/intercept →
// GET IN TOUCH

Have a question or want to learn more? Send us a message.

Message sent.

We'll get back to you soon.