AWS deprecation of TLS below v1.2 & impact to instruments connecting to Illumina Connected Services

Illumina Connected Services, such as BaseSpace, ICA, and Proactive, run on Amazon Web Services (AWS). AWS announced deprecation of TLS (Transport Layer Security) versions below 1.2 for all AWS service API endpoints. The encryption methods on many Illumina instruments currently use TLS v1.0 and TLS v1.1. To respond to evolving technology and conform to the most up to date security standards, AWS and other cloud providers will be updating the TLS configuration to a minimum version of TLS v1.2.

While this change significantly improves Illumina security, it also means that beyond December 31st, 2023, certain instruments with control software versions indicated in Table 1, below, will not be able to connect or send data to the following Illumina cloud services:

• BaseSpace Sequence Hub (BSSH)

• Illumina Connected Analytics

• Checking and installing software updates online

• Run monitoring through MyIllumina

• Illumina Proactive

Instrument users are urged to do one of the following below, in order of priority:

Option 1: Upgrade to latest version of control software on instrument indicated in Table 1, below.

Option 2: If upgrading is not an option, make sure that TLS 1.2 is enabled on the instrument using the instructions in the option 2 section, below.

Option 3: If neither of the above actions can be taken, Illumina recommends setting up runs in local mode without connecting to any cloud services.

Note: see detailed information for Option 1, Option 2 and Option 3 below.

Option 1: Upgrade to latest control software version.

Table 1. Impacted instruments and mitigations for available instrument control software versions.

\*While NovaSeq 6000 control software versions 1.8.0 and 1.8.0.43 are not impacted, Illumina still recommends upgrading to latest control software version of 1.8.1.

For any other instrument platforms, contact your local Illumina field representative or Illumina Technical Support.

Option 2: Make sure that TLS v1.2 is enabled on the instrument.

TLS 1.2 Registry Patch instructions:

Note: All steps must be run on a user account with administrator privileges. See the instructions to check if running as administrator and how to switch to an admin account.

Start at step 1, below, for Windows 7 users only. For Windows 10, start at step 2.

1. Pre-requisite step for platforms that have Microsoft .NET Framework 4.5.1 or below.

• Verify Microsoft .NET Framework version in Programs and Features.

• If Microsoft .NET Framework is 4.5.1 or below, update to Microsoft .NET Framework 4.5.2 or above (Microsoft hosted 4.5.2 offline installer).
• Power cycle the instrument

1. Close instrument control software.

2. Download TLS1.2Registry.reg file from the Illumina support site.

3. Move the TLS1.2Registry.reg file to C:\Illumina on instrument.

1. Double click to run the file. Acknowledge pop-up message by selecting Yes to continue.

1. Verify Success message by selecting OK.

1. Power cycle instrument and log back in as a standard (non-admin) account.

Option 3: Set up runs locally without connecting to any Illumina cloud services.

If neither Option 1 nor Option 2 can be enacted, Illumina recommends setting up runs in local mode without connecting to any cloud services. Illumina also recommends turning off Proactive specifically for the MiSeq and NovaSeq 6000 instruments to make sure that runs do not fail. Turning off Proactive will result in users losing the benefits of a Proactive connection and this option should be used only as a last resort.

FAQs

Is it okay if the TLS 1.2 Registry Patch was run twice?

Yes. The tool can be run multiple times without impact.

Do users need to re-validate after applying the registry patch?

Individual users need to determine if they should re-validate. The registry update does not impact the sequencing software, analysis software, or resulting data and merely enables connection to BaseSpace and Proactive.

What should be done if the following error is seen?

Make sure TLS1.2Registry.reg file is in C:\Illumina, rerun TLS1.2Registry.reg, and verify success message by selecting OK. After verifying, power cycle the instrument.