Always use encrypted communication for all http connections in SHRINE networks. SHRINE carries login information in http headers. I2b2 carries similar information in http request bodies.
Standard TLS-based https is sufficient.
Setting up SHRINE's Keystore in versions 3.2 and earlier was much more complex. Now SHRINE uses Tomcat's TLS-based https the way almost all other applications do. Tomcat's own documentation is insufficient but these instructions were clear .