We have 2 JSS servers that we plan on load balancing this summer. Both use their self-signed cert.
On the Load Balancer, do we need to install each JSS server's self-signed cert? Just one?
For DNS, I'm thinking we CNAME the JSS Master to the load balancer IP? Then the LB distributes traffic between the 2 JSS servers as needed?
Th way we did it was to assign unique host names to all the backends (we did add a unique CNAME record to them but that was for our internal reference, not for function). We then pointed each to the database server and activated clustering in the JSS. Finally we assigned the official JSS URL to the balancer. We did assign unique cert to each but in theory you could terminate ssl at the load balancer.
Much more to it than that . I recommend the CJA class whole-heartedly.
Your understanding is close...but not quite I think. Definitely the 3rd party cert is the way to go...to head off some other strange issues and because I recommend getting yourself a wildcard cert personally. It has helped me on my cluster. In the spirit of openness of my posting, I have had some say that you should generate public/private key pairs on each server. Hardened security would probably lean more toward that.
So where your understanding is not quite there I believe is that the clients/load balancer communicate with each over https/port 8443, the load balancer and the Tomcat backends do not necessarily need to communicate on 8443. You could do that and set up individual certs on each Tomcat backend and do all traffic over 8443, but you could also terminate ssl (8443) at the load balancer and have it communicate with the Tomcat backends on http/port 8080. That is between your infrastructure guys and security team which way to go.
I am going to give you a good diving off point on clustering
I'll be honest, I really hope you read thoroughly if not already as there are a lot of ways to get it wrong if not totally prepared for such a migration. About 1.5 years ago, I had ZERO knowledge of clustering/load balancing and got hit with traffic overload due to my lack of knowledge. I have since sat through the CJA and properly implemented (as best as I know how with my class knowledge and JAMF buddy's overlooking) a 5 member cluster and love sharing our story if interested. I'm hoping to share it at JNUC this year as the whole experience was eye opening and a true learning experience. Anyway, feel free to post your deliberations and whatnot as there I know there are folks here who have done this migration as well as myself.